CVE-2026-43129

MEDIUM EPSS 2.3%
Published May 6, 20261mo ago · Modified Jun 19, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 6, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in ima_restore_measurement_list()", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") This patch (of 3): When the second-stage kernel is booted with a limiting command line (e.g. "mem=<size>"), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore. Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram().

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥6.0  –  <6.12.77
linuxlinux_kernel*≥6.13  –  <6.18.16
linuxlinux_kernel*≥6.19  –  <6.19.6

References 5

  • git.kernel.org https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/43308106a1762b72f3b20a44b75b2df5cb25b77b
  • git.kernel.org https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a
    Patch